FREEBSD系统优化精华

1、优化内核
    mkdir /usr/kern
    cp /usr/src/sys/i386/conf/GENERIC /usr/kern/proxy
    ln -s /usr/kern/proxy /usr/src/sys/i386/conf/proxy
    cd /sys/i386/conf
    ee proxy
    options IPFILTER #ipfilter support
    options IPFILTER_LOG #ipfilter logging
    options IPFILTER_DEFAULT_BLOCK #block all packets by default
    options TCP_DROP_SYNFIN
    options PQ_LARGECACHE
    ## 为512k二级缓存的CPU提供支持
    options SC_DISABLE_REBOOT
    ##屏蔽Ctrl+Del+Alt热键重启系统
    #To make an SMP kernel,the netx two are needed
    options SMP #Symmetric MultiProcess Kernel
    device apic # I/O APIC
    #如果没有双cpu就不需要了
    #####加入对polling的支持##################################
    #options DEVICE_POLLING
    #options HZ=1193
    在/sys/kern/kern_pool.c里面找到#error一行删掉。
    在/etc/sysctl.conf里面加入 kern.polling.enable=1
    DEVICE_POLLING不能跟SMP同时使用,所以本服务器可省略。
    ###########################################################
    其余的优化选项可参考其他内核优化的文章。
    2、系统资源优化
    ee /etc/sysctl.conf
    #######################/etc/sysctl.conf############################################
    net.inet.tcp.rfc1323=1
    net.inet.tcp.rfc1644=1
    net.inet.tcp.rfc3042=1
    net.inet.tcp.rfc3390=1
    #### 某些加快网络性能的协议,请参考RFC文章。
    net.inet.ip.forwarding=1
    ##作路由必须打开
    net.inet.ip.sourceroute=0
    net.inet.ip.accept_sourceroute=0
    ##安全方面的参数
    kern.ipc.maxsockbuf=8388608
    ##最大的套接字缓冲区
    kern.ipc.somaxconn=8192
    ##最大的等待连接完成的套接字队列大小,高负载服务器和受到分布式服务阻塞攻击的系统也许
    会因为这个队列被塞满而不能提供正常服务。默认仅为128,根据机器和实际情况需要改动,太大就浪费了内存
    kern.maxfiles=65536
    ##系统中允许的最多文件数量,缺省的是几千个但如果你在运行数据库或大的很吃描述符的进程可以把它设到1万或2万个
    kern.maxfilesperproc=32768
    ##每个进程能够同时打开的最大文件数量
    net.inet.tcp.delayed_ack=0
    ##当一台计算机发起TCP连接请求时,系统会回应ACK应答数据包。该选项设置是否延迟ACK应答数据包,把它和包含数据的数据包一起发送,在高速网络和低负载的情况下会略微提高性能,但在网络连接较差的时候,对方计算机得不到应答会持续发起连接请求,反而会降低性能。
    net.inet.tcp.sendspace=65535
    ##最大的待发送TCP数据缓冲区空间,应用程序将数据放到这里就认为发送成功了,系统TCP堆栈保证数据的正常发送
    net.inet.tcp.recvspace=65535
    ##最大的接受TCP缓冲区空间,系统从这里将数据分发给不同的套接字,增大该空间可提高系统瞬间接受数据的能力以提高性能。
    net.inet.udp.recvspace=65535
    ##最大的接受UDP缓冲区大小
    net.inet.udp.maxdgram=57344
    ##最大的发送UDP数据缓冲区大小
    net.local.stream.recvspace=32768
    ##本地套接字连接的数据接收空间
    net.local.stream.sendspace=65535
    ##本地套接字连接的数据发送空间
    net.inet.icmp.drop_redirect=1
    net inet.icmp.log_redirect=1‘
    net.inet.ip.redirect=0
    #net.inet6.ip6.redirect=0
    ##屏蔽ICMP重定向功能
    net.inet.icmp.bmcastecho=0
    net.inet.icmp.maskrepl=0
    ##防止广播风暴
    net.inet.icmp.icmplim=100
    ##限制系统发送ICMP速率
    net.inet.icmp.icmplim_output=0
    net.inet.tcp.drop_synfin=1
    ##安全参数,编译内核的时候加了options TCP_DROP_SYNFIN才可以用
    net.inet.tcp.always_keepalive=0
    ##设置为1会帮助系统清除没有正常断开的TCP连接,这增加了一些网络带宽的使用,但是一些死掉的连接最终能被识别并清除。死的TCP连接是被拨号用户存取的系统的一个特别的问题,因为用户经常断开modem而不正确的关闭活动的连接。
    net.inet.ip.intr_queue_maxlen=1000
    ##若看到net.inet.ip.intr_queue_drops这个在增加,就要调大net.inet.ip.intr_queue_maxlen,为0最好
    ####以下为防止dos攻击#####
    net.inet.tcp.msl=7500
    ##freebsd默认为30000
    net.inet.tcp.blackhole=2
    ##接收到一个已经关闭的端口发来的所有包,直接drop,如果设置为1则是只针对TCP包
    net.inet.udp.blackhole=1
    ##接收到一个已经关闭的端口发来的所有UDP包直接drop
    ########end#################
    net.inet.ipf.fr_tcpidletimeout=7200
    net.inet.ipf.fr_tcpclosewait=60
    net.inet.ipf.fr_tcplastack=120
    net.inet.ipf.fr_tcptimeout=120
    net.inet.ipf.fr_tcpclosed=60
    net.inet.ipf.fr_udptimeout=90
    net.inet.ipf.fr_icmptimeout=35
    net.inet.ipf.fr_tcphalfclosed=300
    net.inet.ipf.fr_defnatage=600
    net.inet.tcp.inflight.enable=1
    ## 为网络数据连接时提供缓冲
    net.inet.ip.fastforwarding=0
    ##如果打开的话每个目标地址一次转发成功以后它的数据都将被记录进路由表和arp数据表,节约路由的计算时间,但会需要大量的内核内存空间来保存路由表。
    #kern.polling.enable=1
    ##打开POLLING功能
    ##SMP不能和polling一起用
    #########################The end##################################################
    3、设置rc.sysctl, rc.conf 和 sysctl.conf 权限:
    chmod 600 /etc/rc.sysctl
    chmod 600 /etc/rc.conf
    chmod 600 /etc/sysctl.conf
    4、优化启动选项
    ##################编辑/boot/loader.conf优化启动########
    autoboot_delay="2"
    ## 设置启动等待时间为2秒。
    kern.ipc.nmbclusters="32768"
    ##设置系统的mbuf大小,系统的缓冲区
    kern.ipc.maxsockets="16384"
    ## 增大线程间套接数量
    net.inet.tcp.tcbhashsize="10240"
    ## 增大TCP控制块数量
    beastie_disable="YES"
    ## 关闭小恶魔图像启动菜单
    #############################################
    5、增强ipfilter功能
    修改/sys/contrib/ipfilter/netinet/ip_nat.h,把里面的LARGE_NAT前面的注释去掉,改为#define LARGE_NAT
    修改/sys/contrib/ipfilter/netinet/ip_state.h
    IPSTATE_SIZE 64997
    IPSTATE_MAX 45497
    IP_STATE_MAX=IPSTATE_SIZE*0.7左右
    第一个可以调到10万左右
    注意都要是质数
    6、编译内核
    ##############打系统补丁以后重新编译内核#############
    cd /usr/src
    fetch http://people.freebsd.org/~delphij/patch-SMP
    patch 重新编译内核并重新启动。
    #这是针对5.3 SMP的delphij大哥做的补丁,
    cd /sys/contrib/ipfilter/netinet/
    patch 这个是针对ip_nat的一个补丁,也可以自己手动注释,改了ip_nat的参数以后编译内核会提示两个变量没有定义。
    cd /usr/src
    make buildkernel KERNCONF=proxy
    make installkernel KERNCONF=proxy
    reboot
    这种编译方法将保留原来的kernel为kernel.old,
    这样如果你做错了什么,就有机会通过boot:出现时输入kernel.old来恢复。
    ######如果用config/make编译内核的会在/usr/src产生很多中间文件#########
    cd /usr/src/sys/i386/conf
    /usr/sbin/config proxy
    cd ../compile/proxy
    make depend
    make
    make install
    reboot
    #########################################################################
    7、自动备份日志
    目 前方法不太成熟,我曾经试过把nat.log清空,但是也许是因为系统正在频繁的写入该文件,所以我只能是先暂停记录,备份完记录以后再重新开始记录,好 在我是一个小时备份一个日志文件,拷贝这一小时的记录不用很长时间的,所以基本上不会少记录东西的,看到本文的兄弟们如果有更好的切实可行的方法,望告诉 我一声,多谢!
    #################/usr/local/beifen.sh
    #!/bin/sh
    year=$(date +%Y)
    month=$(date +%m)
    date=$(date +%d)
    time=$(date +%Y%m%d%H%M)
    mkdir -p /usr/local/logbak/$year/$month/$date
    killall ipmon
    cp /var/nat.log /usr/local/logbak/$year/$month/$date/$time.log
    cat >; /var/nat.log; /var/nat.log &
    #############################################
    chmod +x /usr/local/beifen.sh
    crontab -e
    编辑一个文件:
    0 0 * * * /usr/local/beifen.sh
    0 1 * * * /usr/local/beifen.sh
    0 2 * * * /usr/local/beifen.sh
    0 3 * * * /usr/local/beifen.sh
    2 3 * * 1 /sbin/reboot
    0 4 * * * /usr/local/beifen.sh
    0 5 * * * /usr/local/beifen.sh
    0 6 * * * /usr/local/beifen.sh
    0 7 * * * /usr/local/beifen.sh
    0 8 * * * /usr/local/beifen.sh
    0 9 * * * /usr/local/beifen.sh
    0 10 * * * /usr/local/beifen.sh
    0 11 * * * /usr/local/beifen.sh
    0 12 * * * /usr/local/beifen.sh
    0 13 * * * /usr/local/beifen.sh
    0 14 * * * /usr/local/beifen.sh
    0 15 * * * /usr/local/beifen.sh
    0 16 * * * /usr/local/beifen.sh
    0 17 * * * /usr/local/beifen.sh
    0 18 * * * /usr/local/beifen.sh
    0 19 * * * /usr/local/beifen.sh
    0 20 * * * /usr/local/beifen.sh
    0 21 * * * /usr/local/beifen.sh
    0 22 * * * /usr/local/beifen.sh
    0 23 * * * /usr/local/beifen.sh
    (七) 邮件服务器安装与设置
    第一部分:安装邮件服务器:postfix+vm-pop3d+openwebmail
    以下的安装在FreeBSD 5.2.1系统上完成
    1.更新 ports
    # cvsup -gL 2 -h cvsup.freebsdchina.org /usr/share/examples/cvsup/ports-supfile
    2. 安装 openssl+apache 服务器
    # cd /usr/ports/security/openssl
    # make install
    # make clean
    # cd /usr/ports/www/apache2
    # make install
    # make clean
    # vi /etc/rc.conf
    apache2_enable="YES"
    3. 安装 openwebmail
    # cd /usr/ports/mail/openwebmail/
    # make WITH_QUOTA=yes install
    # make clean
    4. 安装 postfix ,在安装过程中用yes回答提出的问题
    # cd /usr/ports/mail/postfix/
    # make install
    # make clean
    # vi /etc/rc.conf
    为了能启动postfix加入:
    sendmail_enable="YES"
    sendmail_flags="-bd"
    sendmail_pidfile="/var/spool/postfix/pid/master.pid"
    sendmail_outbound_enable="NO"
    sendmail_submit_enable="NO"
    5. 安装 vm-pop3d
    # cd /usr/ports/mail/vm-pop3d
    # make install
    # make clean
    6. 配置 postfix
    # vi /usr/local/etc/postfix/main.cf
    添加:
    myhostname = nero.3322.org
    mydomain = nero.3322.org
    virtual_alias_maps=hash:/usr/local/etc/postfix/virtual
    alias_maps=hash:/usr/local/etc/postfix/aliases
    default_privs=nobody
    allow_mail_to_commands = alias,forward,include
    allow_mail_to_files = alias,forward,include
    下面我加入一个 nero.3322.org 的虚拟域,并添加一个用户llzqq
    # vi /usr/local/etc/postfix/virtual
    添加:
    nero.3322.org anything //之间用[tab]
    llzqq@nero.3322.org llzqq.nero.3322.org //之间用[tab]
    执行下面的命令,生成 virtual.db:
    # cd /usr/local/etc/postfix/
    # postmap virtual
    # vi /usr/local/etc/postfix/aliases
    添加:
    llzqq.nero.3322.org:/var/spool/virtual/nero.3322.org/llzqq
    执行下面的命令,生成 aliases.db:
    # cd /usr/local/etc/postfix
    # postalias aliases
    7. 配置 vm-pop3d 使其开机自动执行
    # cd /usr/local/etc/rc.d
    # mv vm-pop3d.sh.sample vm-pop3d.sh
    配置 openwebmail 支持 nero.3322.org 域,创建下面的文件:
    # vi /usr/local/www/cgi-bin/openwebmail/etc/sites.conf/nero.3322.org
    =========================== nero.3322.org =======================
    auth_module auth_vdomain.pl
    auth_withdomain yes
    mailspooldir /var/spool/virtual/nero.3322.org
    use_syshomedir no
    use_homedirspools no
    enable_autoreply no
    enable_setforward no
    enable_vdomain yes
    vdomain_admlist llzqq //这里设置了这个域的管理员
    vdomain_maxuser 500
    vdomain_vmpop3_pwdpath /usr/local/etc/virtual
    vdomain_vmpop3_pwdname passwd
    vdomain_vmpop3_mailpath /var/spool/virtual
    vdomain_postfix_aliases /usr/local/etc/postfix/aliases
    vdomain_postfix_virtual /usr/local/etc/postfix/virtual
    vdomain_postfix_postalias /usr/local/sbin/postalias
    vdomain_postfix_postmap /usr/local/sbin/postmap
    # quota设置部分
    quota_module quota_du.pl
    quota_limit 52400 //定义了邮箱大小
    quota_threshold 85
    delmail_ifquotahit no
    delfile_ifquotahit no
    =========================== nero.3322.org =======================
    # mkdir -p /var/spool/virtual/nero.3322.org
    # chown nobody /var/spool/virtual/nero.3322.org
    # chgrp mail /var/spool/virtual/nero.3322.org
    # mkdir -p /usr/local/etc/virtual/nero.3322.org
    # touch /usr/local/etc/virtual/nero.3322.org/passwd
    # chmod 644 /usr/local/etc/virtual/nero.3322.org/passwd
    # htpasswd /usr/local/etc/virtual/nero.3322.org/passwd llzqq
    # chmod 755 /usr/local/www/cgi-bin/openwebmail/etc/users
    # sync
    # reboot
    8. 最后通过浏览器登陆到OPENWEBMAIL
    第二部分:防病毒、垃圾邮件:clamav+amavisd-new+spam
    1.0 安装clamav:
    # cd /usr/ports/security/clamav
    # make install
    # make clean
    # vi /usr/local/etc/clamav.conf
    ===============================clamav.conf============================
    # Comment or remove the line below.
    # Example
    LogFile /var/log/clamav/clamd.log
    LogFileMaxSize 1M
    LogTime
    LogVerbose
    PidFile /var/run/clamav/clamd.pid
    DataDirectory /usr/local/share/clamav
    LocalSocket /tmp/clamd
    StreamMaxLength 10M
    MaxThreads 10
    MaxDirectoryRecursion 15
    User clamav
    ScanMail
    ScanArchive
    ScanRAR
    ArchiveMaxFileSize 10M
    ArchiveMaxRecursion 5
    ArchiveMaxFiles 1000
    ClamukoScanOnOpen
    ClamukoScanOnClose
    ClamukoScanOnExec
    ClamukoIncludePath /var/spool/virtual
    ClamukoMaxFileSize 6M
    ClamukoScanArchive
    ===============================clamav.conf============================
    1.1 更新病毒库
    # /usr/local/etc/rc.d/clamav-freshclam.sh start
    2.0 安装amavisd-new
    # cd /usr/ports/security/amavisd-new
    # make install
    # make clean
    # cd /usr/local/etc
    # mv amavisd.conf-dist amavisd.conf
    # vi amavisd.conf
    ============================== amavisd.conf ===============================
    $MYHOME = '/var/amavis'; # (default is '/var/amavis')
    $mydomain = 'nero.3322.org'; # (no useful default)
    $daemon_user = 'vscan'; # (no default; customary: vscan or amavis)
    $daemon_group = 'vscan'; # (no default; customary: vscan or amavis)
    $log_level = 0;
    $sa_spam_subject_tag = '***SPAM***'
    $virus_admin = "root\@$mydomain";
    $spam_admin = "llzqq\@$mydomain";
    $mailfrom_notify_admin = "llzqq\@$mydomain";
    $mailfrom_notify_recip = "llzqq\@$mydomain";
    $mailfrom_notify_spamadmin = "llzqq\@$mydomain";
    $inet_socket_bind = '127.0.0.1';
    $forward_method = 'smtp:127.0.0.1:10025';
    $notify_method = $forward_method;
    $inet_socket_port = 10024;
    $max_servers = 2;
    ['Clam Antivirus-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", '/tmp/clamd'],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
    ============================== amavisd.conf ===============================
    2.1 要启动clamav和amavisd-new需要配置一下/etc/rc.conf
    # vi /etc/rc.conf
    spamd_enable="YES"
    amavisd_enable="YES
    clamav_clamd_enable="YES"
    3.0 由于在安装amavisd-new时spamassassin被一起安装了下面对其进行配置
    3.1 建立过滤规则:
    # cd /usr/local/etc/mail/spamassassin
    # env LANG=C vi local.cf
    =============================== local.cf ===============================
    # SpamAssassin config file for version x.xx
    # generated by http://www.yrex.com/spam/spamconfig.php (version 1.01)
    # How many hits before a message is considered spam.
    required_hits 4.0
    # Whether to change the subject of suspected spam
    rewrite_subject 1
    # Text to prepend to subject if rewrite_subject is used
    subject_tag *****SPAM*****
    # Encapsulate spam in an attachment
    report_safe 1
    # Use terse version of the spam report
    use_terse_report 0
    # Enable the Bayes system
    use_bayes 1
    # Enable Bayes auto-learning
    auto_learn 1
    # Enable or disable network checks
    skip_rbl_checks 1
    use_razor2 0
    use_dcc 0
    use_pyzor 0
    # Mail using languages used in these country codes will not be marked
    # as being possibly spam in a foreign language.
    # - chinese english
    ok_languages zh en
    # Mail using locales used in these country codes will not be marked
    # as being possibly spam in a foreign language.
    ok_locales en zh
    score SUBJ_FULL_OF_8BITS 2
    score NO_REAL_NAME 4.0
    =============================== local.cf ===============================
    3.2 下载新的垃圾邮件地址列表文件
    # cd /usr/local/share/spamassassin
    # fetch http://anti-spam.org.cn/rules/sa/55_diy_score.cf
    4.0 对POSFIX进行配置,在他的配置文件中添加下面的一些内容
    # vi /usr/local/etc/postfix/master.cf
    ---------------------- master.cf ---------------------
    smtp-amavis unix - - n - 2 smtp
    -o smtp_data_done_timeout=1200
    -o disable_dns_lookups=yes
    127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o mynetworks=127.0.0.0/8
    ---------------------- master.cf ---------------------
    # vi /usr/local/etc/postfix/main.cf
    content_filter = smtp-amavis:[127.0.0.1]:10024
    好了,现在一个基于FreeBSD的功能相对完整的邮件服务器就建立起来了,虚拟域的管理员可以登陆OPENWEBMAIL进行用户的添加、删除等操作,虚拟用户可以通过OPENWEBMAIL修改自己的密码。